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Cotopaxi - origin / idea 


e loT introduced new protocols: CoAP, DTLS, MQTT 
and refurbished old protocols: UPnP, SSDP 


* Lack of security testing tools 


for loT protocols (except for MQTT) 
* Low level of security measures 
of loT components and devices 


* Our team performed assessment The 5 stands for 
of multiple loT components - results: 
- ideas for tools 
- corpus of malformed messages Source: RR 
- 20+ new vulnerabilities 


loT security tool — landscape (end of 2017) 
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loT protocols supported by free loT tools 


Tool AMQP CoAP DTLS HTCPCP mDNS MQTT QUIC RTSP 
service ping “> 
server_fingerprinter 


credential_cracker 


resource_listimg <> 
protocol_fuzzer 


client_proto_fuzzer 


vulnerability_tester 


client_vuln_tester 
amplifier_detector 


active_scanner 


sudo nmap 1xx.1xx.1xx.1xx -sU -p 10001-10005,20000-20010 -A 


Starting Nmap 7.70 ( https://nmap.org ) at 2019-99-9 99:99 CET 
Nmap scan report for 1xx.1xx.1xx.1xx 
Host is up (0.00059s latency). 


PORT STATE SERVICE VERSION 
10001/udp open|filtered scp-config 


10002/udp open documentum? 
10003/udp open documentum s? 
10004/udp open unknown 
10005/udp open unknown 
20000/udp open|filtered dnp 
20001/udp open|filtered microsan 
20002/udp open commtact-http 
20003/udp open commtact-https 


20005/udp open|filtered openwebnet 
20006/udp open|filtered unknown 


Sou Bilal Fi i, Independen t, https: www indepen ndei ntc mE rid/am 


ooqu as/ 
cidalr obo diden ot-kill-itself-fou t-loose-bri “27866856 html 


Wireshark view on CoAP traffic 


62 188.72. 166.1. 186. 


„ UDP 54 48443 — 10002 Len=12 


1l 

63 111.35. 186.1. 186.1.. UDP 54 48443 — 10002 Len-12 
64 118.01. 166.1. 1686.1. UDP 54 57186 — 10003 Len-12 
65 120.32... 106.1.. 106.1... UDP 54 57186 — 10003 Len-12 
70 132.58.. 106.1.. 106.1.. UDP 54 49034 — 10001 Len-12 
71 135.20.. 106.1.. 106.1.. UDP 54 49034 — 10001 Len-12 
80 144.32.. 106.1.. 106.1.. UDP 54 60966 — 10001 Len-12 
81 147.26.. 106.1.. 106.1.. UDP 54 60966 — 10001 Len-12 
86 157.34.. 106.1.. 106.1.. UDP 54 45486 — 1001 Len=12 

87 162.27... 186.1. 186. 1.. UDP 54 34418 — 10001 Len=12 
88 166.10... 106.1.. 106.1.. UDP 54 44498 — 10101 Len-12 


» User Datagram Protocol, Src Port: 48443, Dst Port: 10002 
v Data (12 bytes) 

Data: 4001736a7227124474657374 

[Length: 12] 


00 08 e3 90 50 65 f3 2a 28 5b 08 00 45 00  ....-- Pe - --E- 
0010 00 28 3b 89 40 00 40 11 e9 a2 6a 78 b8 11 6a 78 ((;:09-.0- --jx:-jx 
0020 88 97 bd 3b 27 12 00 14 15 bf 40 01 73 6a 72 27 eph ..Q-sjr' 


0030 12 44 74 65 73 74 :Dtest 


Wireshark view on CoAP traffic — ‘Decode As" CoAP 


62 108.72.. 106.1.. 106.1.. CoAP 54 CON, MID:29546, GET, :10002/test 


63 111.35.. 106.1.. 106.1.. CoAP 54 CON, MID:29546, GET, :10002/test 


» User Datagram Protocol, Src Port: 48443, Dst Port: 10002 
v Constrained Application Protocol, Confirmable, GET, MID:29546 
81.. - Version: 1 
..00 .... = Type: Confirmable (0) 
. 0000 = Token Length: © 
Code: GET (1) 
Message ID: 29546 
v Opt Name: #1: Uri-Port: 10002 
Opt Desc: Type 7, Critical, Unsafe 
0111 .... - Opt Delta: 7 
... 0010 - Opt Length: 2 
Uri-Port: 10002 
v Opt Name: #2: Uri-Path: test 
Opt Desc: Type 11, Critical, Unsafe 
0100 .... = Opt Delta: 4 
. 0100 - Opt Length: 4 
Uri-Path: test 
[Uri-Path: :10002/test] 


0060 00 08 e3 90 50 65 f3 2a 28 5b 08 00 45 00... Pe "(| E 
0019 00 28 39 fd 40 00 40 11 eb 2e 6a 78 b8 11 6a 78  .(9.Q.Q- -.jx--jx 
0020 88 97 bd 3b 27 12 00 14 15 bf 40 01 73 6a 72 27 ---;' @-sjr' 


0030 12 44 74 65 73 74 :Dtest 


Cotopaxi - origin / idea 


e loT introduced new protocols: CoAP, DTLS, MQTT 
and refurbished old protocols: UPnP, SSDP 


* Lack of security testing tools 


for loT protocols (except for MQTT) 
* Low level of security measures 
of loT components and devices 


* Our team performed assessment The 5 stands for 
of multiple loT components - results: 
- ideas for tools 
- corpus of malformed messages Source: RR 
- 20+ new vulnerabilities 


Cotopaxi - the toolkit 


* Set of tools for security testing 
of Internet of Things devices 
using network loT protocols 


A 


AAN 
4 2% 4 


e License: GPL-2.0 


* Repository: 
https://github.com/samsung/cotopaxi 


* Releases: 
* 1st release in March 2019 
(before Black Hat Asia) 
* 4 release in August 2020 


( befo re B lac k H at U SA NEW! Source: https://www.amazon.com/Wenger-16999-Swiss-Knife-Giant/dp/BOO1DZTJRQ 
and DEFCON) 


e Active stratovolcano 
in Ecuador 


* Elevation: 
19,347 ft / 5,897 m 


Author: 


* For pentesters to: 
* analyze environments using loT, Smart-{Home, Factory, City) 
e find active endpoints using loT protocols 


* classify soft t loT devi 
» identify network traffic reflectors (DDoS) USE ITEWISELY 
e = a > d 


* For security researchers to: . £ 
e perform „black box” testing of loT devices 
e identify known security vulnerabilities 
e identify OEM devices (by classification) 


e fuzz components or interfaces 
e test traffic amplification (DDoS) 


W | 
El 


“Tor developers or vendors or lol devices: to: YOUMUST 


Cotopaxi - features in 4" release 
Reconnaissance phase: 


* Service ping 
- checking availability of network services 
* Security scanner - veryfing security settings 
(e.g. supported ciphersuites, certificates) 
* Software fingerprinting - recognizing 
the software used by remote network server 
* Resource listing ,,dirbusting” 
- discovering resources identified by given URLs 
* Device identification - passive analysis of traffic NEW! 
and device classification using Machine Learning 


. D 
Pre-exploitation phase: 
Fre-expioitation pnase: Source: https://www.amazon.com/Wenger-16999-Swiss-Knife-Giant/dp/B001DZTJRQ 


* Amplification sniffing - detecting network traffic amplification 
* Protocol fuzzing - fuzzing implementation of protocol 

— From 2nd release for protocol clients and servers 
* Vulnerability testing - identifying known vulnerabilities 

— From 2nd release for protocol clients and servers 


Cotopaxi - supported loT protocols 


e Supported in 1st release: 
* Constrained Application Protocol (CoAP) 
* Datagram Transport Layer Security (DTLS) 
* Multicast DNS (mDNS) / DNS-System Discovery (DNS-SD) 
* Message Queuing Telemetry Transport (MQTT) 
* Added in 2™ and 3" releases: 
* Hyper Text Coffee Pot Control Protocol (HTCPCP) 
* Simple Service Discovery Protocol (SSDP) 
* Real Time Streaming Protocol (RTSP) 


* Added in 4" release: 
* Advanced Message Queuing Protocol (AMQP) 
e MQTT-Sensor Networks (MQTT-SN) NEW! 
* Quick UDP Internet Connections (QUIC) 


* Planned for next releases: 
* Distributed Network Protocol (DNP3) 
* KNX (building automation protocol) 


loT protocols - Quick UDP Internet Connections (QUIC) 


* Created by Google and widely used 
in Google Apps like Docs, Maps and loT devices 


* Transport layer for HTTP/3 


* General-purpose transport layer protocol with: 


- built-in communication security 


UDP Packet 


Unencrypted 
Authenticated 


- multiple streams in one connection 


QUIC Public Header 
QUIC Packet 
AEAD Data 


VS low latency on setup QUIC Private Header 
* UDP-based 
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Source: Kate Pearce ,,HTTP/2 & QUIC Teaching Good Protocols To 
Do Bad Things" 


Message Queuing Telemetry Transport - Sensor Networks 


* MQTT 


- most popular loT messaging protocol 


- TCP-based 


* MQTT-SN (Sensor Networks) 


- UDP-based clone of MQTT 


- small changes in packet formats 
- all ideas are the same | Client - 


- notas popular as MQTT 


Source: Trend Micro , The Fragility of Industrial loT's Data 
Backbone" 


Cotopaxi feature — service ping 


e Identifies active service endpoints (IPv4/IPv6:port) 
* Not uses ICMP echo! 


* For each protocol there is a set of messages 
that triggers responses in all tested servers 


e.g. DTLS - Client Hello in all DTLS versions | 7 ong 


e Better than using standard tools: 
nmap and wireshark do not recognize 
loT traffic on non-standard ports 


Source: https://www.tenstickers.pl/naklejki/naklejka-ping-pong-10870 


Cotopaxi feature — service fingerprinting 


* Detection of software and version used by server 


* Equivalent to nmap -sV 
(Service and Application Version Detection) 


* Uses machine learning classifier 


* In this version works only for CoAP, DTLS 


ON THE INTERNET OF THINGS 


NOBODY KNOWS YOU'RE A FRIDGE 


Source: https://www. 


.secmeme.com/2014/02/on-intern 


et-of-things-nobody-knows 


.html 


Identification of loT devices using captured traffic (PCAP format) 
using machine learning classifier 


In this version supports 60+ devices: 
webcameras, SmartHome devices, AA A E Hu dui 
A arted classification for - 37.0, 
smartTVs !] Found 1800 packets to or from this IP 
Device was classified as: 


Corpus of traffic for loT devices al xtd 


provided by authors of papers: Results of device identification: 
Xiaomi Mi Cam 2: 59.09% 

Jingjing Ren, Daniel J. Dubois, David Choffnes, Amcrest Camera: 36.87% 

Anna Maria Mandalari, Roman Kolcun, Hamed Haddadi Wansview Camera: 

“Information Exposure for Consumer loT Devices: Yi Camera: 

A Multidimensional, Network-Informed Measurement Approach" Bosiwo Camera: 


Luohe Cam: 


; T as Lefun Cam: 
A. Sivanathan, H. Habibi Gharakheili, F. Loi, A. Radford, [MINAS lat Mat Cree ie s 


C. Wijenayake, A. Vishwanath and V. Sivaraman, 
"Classifying loT Devices in Smart Environments 
Using Network Traffic Characteristics" 


Cotopaxi feature — resource listing (dirbusting) 


* Equivalent to: 
e DirBuster/dirb for CoAP/mDNS/SSDP 
nmap script coap-resources 


* Uses a list of: 
* URIs (for CoAP) 
* Services (for mDNS and SSDP) 
* media files (for RTSP) 
* Cotopaxi includes sample lists of resource 


* User can provide own list of URIs or services 


Source: https://medium.com/coinbundle/blockchain-internet-of-things-iot- 
be58703617c9 


Cotopaxi feature — protocol fuzzer (black-box) 


* Uses corpus of malformed protocol messages (payloads) 
prepared with afl (American Fuzzy Loop) 


* Checks ,service ping" before and after 
sending payload 


=] CoAP | DTLS | mDNS/ | MQTT | HTCPCP | SSDP 
* Allows to use own corpus of payloads DNS-SD 
and integrate with mutating fuzzer 


* In verbose mode displays e 
pus 
payload and response packet 


* Calculates RTT for payloads with responses 
and displays Top 1096 - potentially interesting 
because of longest processing on server 


Protocol 


Cotopaxi feature — vulnerability tester 


* Types of vulnerabilities: 


. information disclosure - unauthorized ESEE Gi 
access to internal information 


Type of 
* crash (DoS) - leads to crash of server WO Lorem ERR UE EAR EGER ERE 
(detected by service ping) DNS-SD 
2 2 


* traffic amplification (for DDoS) Information 
- responses larger than request pontiac 
Crash 5 6 il il i 1 1 
e memory leak - server wastes parzona || UE 


memory after processing payload 


(requires manual confirmation) Memory Leak — 1 
Remote Code 
i Execution E 2 1l 
* remote code execution 
(currently only detected as crashes) TOTAL*=34 7 9 3 z : 3 : à 


e | n th i S relea se 10 NEW! vu | nera bi | iti es I * some vulnerabilities are currently in responsible disclosure process 


Cotopaxi feature — vulnerability tester 


Example bugs found by our team 
and identified by Cotopaxi: 


* CVE-2019-9747 in tinysvcmdns (hang) 
mDNS server goes into infinite loop after receiving 
DNS query with recursive referenced names 


* CVE-2019-9004 in Wakaama (memory leak) 
CoAP server leaks (wastes) 24 bytes 
per each processed crafted packet 


* CVE-2019-9750 in loTivity (traffic amplification) 
CoAP server responds with 6 error messages 


* CVE-2019-18840 in WolfSSL (crash) 
TLS and DTLS servers and clients can be crashed 
using malformed x509 certificate 


Source: Grasshopper shot near Miles 
City Mont. C. 1937 Coles Studio 
Glassgow Mont 


Cotopaxi feature — amplification sniffer 


* Sniffs for all packets incoming to 
and outgoing from specified target 


* Calculates amplification factor (size out/size in - 1) 


* Tracks req/resp with highest amplification factor 
and display record on exit 


* Should be placed on router or use network tap 
to see all traffic to/from target 


ALL THE THINGS! 


e: http://m.quickmeme.com/Rat-Sniffer/ 


DDoS attack via IP Spoofing and Traffic Amplification 


Vulnerable loT 
devices 


* Identified amplifiers-reflectors: 


* CoAP 

* every request with large response 
* e.g. CoAPthon example /big 
* loTivity 4.04 6x repeated response 
e |OTIVITY 000 issue in tester 


" ^ 
Victim's Spoofed IP Address. 
making the request ` A * 
` 


* DTLS 
* every DTLS server without Hello Verify 
Request 
* e.g. Botan 000 issue in tester 


Source: Austin Brooks „NTP DDoS 
Vulnerability" 


Cotopaxi - next steps 


* Download from Samsung GitHub 


. | | HELLO 911? T JUST CUM 
https://github.com/samsung/cotopaxi ONE BREAD. AND THE DICE CR 
AN ARM AND STABBED ME IN THE FACE! 
° DID YOU READ THE 
Hack the planet! \ TOASTERS MAN PAGE FIRST? 
..but only with the written consent WELL, NO, BUT ALL 


of the owner :-) EMBED MS- 


* Read the friendly manual 
in Readme.md 


* Report any issues or requests 
for new features on GitHub 


* Pull request with new features A 


Thank You! 


Do you have any questions? 


© 2020. Samsung R&D Institute Poland. All rights reserved. 


